Mobile network security report: Netherlands

Transcription

1 Mobile network security report: Netherlands GSM Map Project Security Research Labs, Berlin July 2014 Abstract. Mobile networks differ widely in their protection capabilities against common attacks. This report details the protection capabilities of three mobile networks in the Netherlands. All 3G networks in the Netherlands implement sufficient 3G intercept protection. Some popular passive 2G intercept devices will not work against KPN. KPN 2G users are predominantly using latest encryption technology. Users of T-Mobile are not sufficiently protected from 2G intercept. Impersonating 2G users of T-Mobile and Vodafone is possible with simple tools.

5 Secondly, the intercepted call and SMS traces need to be decrypted. In 2G networks, this can be prevented by hardening the A5/1 cipher or by upgrading to modern encryption algorithms. Currently, there is no publicly known cryptanalytic attack against the common 3G encryption algorithm, A5/3. All 3G networks in the Netherlands in the Netherlands use this encryption algorithm. Hardening the A5/1 cipher. The A5/1 cipher was developed in 1987 and is still the most common encryption algorithm for 2G calls. First weaknesses of this cipher were discussed in , but it took until the mid-2000 s until successfull attacks on 2G were demonstrated publicly. These attacks exploit (partially) known plaintexts of the encrypted GSM messages to derive the encryption key. Consequently, countermeasures need to reduce the number of predictable bits in 2G frames. Nowadays, several generations of passive A5/1 decipher units exist, that attack different parts of the transaction. Early generation boxes attack the Cipher Mode Complete message. Vodafone generally protects from these boxes. KPN and T-Mobile are fully vulnerable (Require IMEI in CMC). More modern decipher units leverage predictable Null frames. These Null frames contain little to no relevant information and are filled up with a fixed uniform padding, facilitating knownplaintext attacks. None of the networks in Netherlands have deployed protection against this type of attack. Recently updated intercept boxes further leverage System Information (SI) messages. These messages can be randomized, or not sent at all during encrypted transactions (SI randomization). None of the networks in Netherlands are protected against this type of attack. Upgrading to modern encryption algorithms. With the introduction of 3G mobile telecommunications technology, the A5/3 cipher was introduced to 2G standards. Only theroretical attacks on this cipher were so far presented publicly, none of which have practical significance. Modern phones can use this cipher for 2G communication, if the network supports it. With passive intercept being prevented, attackers must use active intercept equipment, e.g. fake base stations, as described in Section 3.2. KPN and Vodafone have begun rolling out A5/3. To intercept subscribers of KPN and Vodafone in A5/3-enabled areas, attackers will need to use active equipment. In the Netherlands, T-Mobile continues to mostly rely on outdated encryption. 3.2 Active intercept Attacks through fake 2G base stations can be prevented to different degrees, based on what the fake base station is used for: Location finding: In this attack scenario, a phone is lured onto a fake station so that the phone s exact location can be determined. This scenario occurs independent of the phone network and hence cannot be prevented through network protection measures. 2 See https://groups.google.com/forum/#!msg/uk.telecom/tkdcaytoeu4/mroy719hdroj Mobile network security report: Netherlands Page 5

6 Outgoing call/sms intercept: A fake base station can proxy outgoing connections. In this attack, connectivity to the real network is not necessarily required, so no protection can be achieved from outside the phone. Encrypted call/sms intercept: Modern fake base stations execute full man-in-the-middle attacks in which connections are maintained with both the phone and the real network. Networks can make such active attacks more difficult with a combination of two measures: First, by not allowing unencrypted calls. Secondly, by decreasing the authentication time given to an attacker to break the encrytion key. This timeout can be as much as 12 seconds according to common standards. The GSM Map database currently lacks reliable data on authentication times in the Netherlands. All 2G networks in the Netherlands use encryption in all 2G call and SMS transactions. All 3G networks in the Netherlands encrypt relevant 3G transactions. However, the GSMmap currently lacks data to decide whether the networks would accept subscriber-originated unencrypted transactions as well. 3.3 Impersonation Mobile identities can (temporarily) be hijacked using specific attack phones. These phones require the authentication key deciphered from one transaction. They use this key to start a subsequent transaction. The obvious way to prevent this attack scenario is by requiring a new key in each transaction (Authenticate calls/sms). In the Netherlands, 2G call impersonation is possible against T-Mobile and Vodafone. The same is possible for SMS messages from T-Mobile. 3G networks are generally protected against this type of impersonation attacks. 3.4 User tracking Mobile networks are regularly used to track people s whereabouts. Such tracking occurs at two different granularities: Global tracking: Internet-accessible services disclose the general location of GSM customers with granularity typically on a city level. The data is leaked to attackers as part of SMS delivery protocols in form of the MSC address (Mask MSC). All 2G networks in the Netherlands suppress MSC information for their customers in the Netherlands. In addition, users IMSI s can leak in HLR requests. This is the case for KPN. T-Mobile and Vodafone protect this information. Local tracking: Based on TMSI identifiers, users association with location areas and specific cells can be tracked, providing a finer granularity than MSC-based tracking, but a less fine granularity than location finding with the help of fake base stations. IMSI-based tracking is made more difficult by changing the TMSI in each transaction (Update TMSI). All 2G networks in the Netherlands have not addressed this threat thoroughly. Mobile network security report: Netherlands Page 6

7 4 Conclusion The mobile networks in the Netherlands implement only few of the protection measures observed in other networks. KPN and Vodafone have begun upgrading their network to the more secure A5/3 encryption algorithm. T-Mobile and Vodafone are protecting their subscribers particularly well against tracking. The evolution of mobile network attack and defense techniques is meanwhile progressing further: Modern A5/1 deciphering units are harvesting the remaining non-randomized frames and thanks to faster computers are achieving high intercept rates again. The 3GPP, on the other hand, already completed standard extensions to reduce A5/1 attack surface to a minimum. These standards from 2009 are only hesitantly implemented by equipment manufacturers, leaving users exposed to phone intercept risks. The available protection methods even when implemented in full are barely enough to protect users sufficiently. A stronger push for implementing modern protection measures is needed to revert this erosion of mobile network security. Mobile network security report: Netherlands Page 7

2007 Levente Buttyán Why is security more of a concern in wireless? no inherent physical protection physical connections between devices are replaced by logical associations sending and receiving messages

GSM and Similar Architectures Lesson 03 GSM System Architecture 1 Mobile communication using base station in cellular networks A mobile station, MS, communicates with a GSM public land mobile network (PLMN)

GSM Risks and Countermeasures STI Group Discussion and Written Project Authors: Advisor: Johannes Ullrich Accepted: February 1, 2010 Abstract Recent research has shown that GSM encryption can be cracked

system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. From a high-level standpoint, attacks on computer systems and networks can be grouped

Ch 2.3.3 GSM In the early 80 s the European community decided to work together to define a cellular system that would permit full roaming in all countries and give the network providers freedom to provide

Product Purpose The Product is designed for searching, intercepting, registering and analyzing of communication sessions as well as service information circulating in cellular GSM networks without encryption

Using an approximated One-Time Pad to Secure Short Messaging Service (SMS) N.J Croft and M.S Olivier Information and Computer Security Architectures (ICSA) Research Group Department of Computer Science

Security in Wireless LANs and Mobile Networks Wireless Magnifies Exposure Vulnerability Information going across the wireless link is exposed to anyone within radio range RF may extend beyond a room or

SHORT MESSAGE SERVICE SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in

Chapter 17 Transport-Level Security Web Security Considerations The World Wide Web is fundamentally a client/server application running over the Internet and TCP/IP intranets The following characteristics

Three attacks in SSL protocol and their solutions Hong lei Zhang Department of Computer Science The University of Auckland zhon003@ec.auckland.ac.nz Abstract Secure Socket Layer (SSL) and Transport Layer

Two-Factor Authentication and Swivel Abstract This document looks at why the username and password are no longer sufficient for authentication and how the Swivel Secure authentication platform can provide

WIRELESS SECURITY Information Security in Systems & Networks Public Development Program Sanjay Goel University at Albany, SUNY Fall 2006 1 Wireless LAN Security Learning Objectives Students should be able

Notes on Network Security - Introduction Security comes in all shapes and sizes, ranging from problems with software on a computer, to the integrity of messages and emails being sent on the Internet. Network

INSTANT MESSAGING SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part

Mitigating Server Breaches with Secure Computation Yehuda Lindell Bar-Ilan University and Dyadic Security The Problem Network and server breaches have become ubiquitous Financially-motivated and state-sponsored

An Oracle White Paper December 2013 The Value of Diameter Signaling in Security and Interworking Between 3G and LTE Networks Introduction Today s mobile networks are no longer limited to voice calls. With

> ARMING IT AGAINST SMARTPHONE THREATS Trust Digital Best Practices April 2009 The information contained herein is subject to change at any time, and Trust Digital makes no warranties, either express or

Evaluating GSM A5/1 security on hopping channels Bogdan Diaconescu v1.0 This paper is a practical approach on evaluating A5/1 stream cipher on a GSM hopping network air interface called Um. The end goal

http://www.cs-networks.net 1 The Future Of Mobile Security Stefan Certic CS Network Solutions Limited http://www.cs-networks.net 2 Introduction Mobile devices are more than just phones, they are a lifeline

The Misuse of RC4 in Microsoft Word and Excel Hongjun Wu Institute for Infocomm Research, Singapore hongjun@i2r.a-star.edu.sg Abstract. In this report, we point out a serious security flaw in Microsoft